Re: [websec] ignoring STS header fields with undefined directives (was: new rev: draft-ietf-websec-strict-transport-sec-08)

Julian Reschke <julian.reschke@gmx.de> Sat, 02 June 2012 06:01 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42B2221F8A8C for <websec@ietfa.amsl.com>; Fri, 1 Jun 2012 23:01:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tk0ZPoohVGnw for <websec@ietfa.amsl.com>; Fri, 1 Jun 2012 23:01:37 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 03D3821F8A8B for <websec@ietf.org>; Fri, 1 Jun 2012 23:01:36 -0700 (PDT)
Received: (qmail invoked by alias); 02 Jun 2012 06:01:35 -0000
Received: from p54BB353B.dip.t-dialin.net (EHLO [192.168.178.36]) [84.187.53.59] by mail.gmx.net (mp017) with SMTP; 02 Jun 2012 08:01:35 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1/cPTQxajTcxbGNukswC7tZYTjiFwhQ0ijv1gQ6hd 5uF/qnKzNnHb5X
Message-ID: <4FC9AC3F.8070800@gmx.de>
Date: Sat, 02 Jun 2012 08:01:35 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: =JeffH <Jeff.Hodges@KingsMountain.com>
References: <4FC95CAD.20600@KingsMountain.com>
In-Reply-To: <4FC95CAD.20600@KingsMountain.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] ignoring STS header fields with undefined directives (was: new rev: draft-ietf-websec-strict-transport-sec-08)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Jun 2012 06:01:38 -0000

On 2012-06-02 02:22, =JeffH wrote:
>  > On 2012-06-01 20:32, =JeffH wrote:
>  >
>  >> Alexey wrote:
>  >>
>  >> > Most of my issues were addressed in the latest version, except for
>  >> this one:
>  >> >
>  >> > > 6.1. Strict-Transport-Security HTTP Response Header Field
>  >> > >
>  >> > > 4. UAs MUST ignore any STS header fields containing directives, or
>  >> > > other header field value data, that does not conform to the
>  >> > > syntax defined in this specification.
>  >> >
>  >> > So this is saying that syntactically invalid STS header fields are
>  >> > to be ignored. This still doesn't say if unrecognized directives
> are to
>  >> > be ignored or not. (Because they can comply with the generic
> syntax for
>  >> > directives, so they would be syntactically valid, albeit
> unrecognized).
>  >> > So can you please add an explicit sentence about that?
>  >>
>  >>
>  >> Here's the text in my working copy for that item..
>  >>
>  >> <t>
>  >> UAs MUST ignore any STS header fields containing
>  >> directives, or other header field value data, that does
>  >> not conform to the syntax defined in this specification.
>  >> UAs MUST also ignore any STS header fields containing
>  >> undefined directives.
>  >> </t>
>  >>
>  >> Ok?
>  >> ...
>  >
>  > That makes it basically impossible to add extensions; is that intended?
>
> No, that is not my intention, nor the WG's as far as I understand.
>
>
> Alexey follows up with:
>  >
>  > I agree with Julian: this will make the header field effectively non
>  > extensible. And if you update the header field by adding new values, all
>  > older implementations will start ignoring it, which is a deployment
>  > headache.
>
> Ok, so the first proposal is broken, how about this..
>
> <t>
> UAs MUST ignore any STS header fields containing
> directives, or other header field value data, that does
> not conform to the syntax defined in this specification.
> </t>
> <t>
> UAs MUST ignore any directives they
> do not recognize, but MAY accept and
> process a STS header field containing an
> unrecognized directive but otherwise
> satisfying the other
> requirements (1 through 4) stated here.
> </t>
>
> ..?
>
> Note that the paragraph following the above numbered list items states:
>
> Additional directives extending the semantic functionality of the STS
> header field can be defined in other specifications.

"UAs MUST ignore any directives they do not recognize, ..."

Yes.

" ...but MAY accept and process a STS header field containing an 
unrecognized directive but otherwise satisfying the other requirements 
(1 through 4) stated here."

Why "MAY accept" here? If the MUST ignore extension directives, doesn't 
that mean that that "MAY" indeed is a "MUST"?

Best regards, Julian